Search Again
Cobalt
Summary of Actor:Cobalt, also known as Cobalt Group or Cobalt Gang, is a cybercriminal group primarily known for its bank heists and financially motivated attacks. The group has been active since at least 2016 and is notorious for its sophisticated malware and tactics that target financial institutions globally.
General Features:Cobalt is known for its use of spear-phishing emails to deliver malicious payloads. The group primarily targets banking institutions, ATMs, and financial entities, using custom malware and sophisticated hacking techniques to steal funds. They have been linked to numerous high-profile cyber heists.
Related Other Groups: Carbanak,FIN7
Indicators of Attack (IoA):
- Spear-phishing emails
- Use of custom malware such as Cobalt Strike
- Credential theft
- Lateral movement within networks
Recent Activities and Trends:
- Latest Campaigns : The latest campaigns by Cobalt involve the use of phishing emails with malicious attachments that exploit vulnerabilities in Microsoft Office. These campaigns focus on financial institutions in various regions, particularly targeting banks' internal networks.
- Emerging Trends : Cobalt has been seen leveraging more zero-day exploits and increasingly using living-off-the-land techniques to avoid detection. They are also shifting towards targeting cryptocurrency exchanges and blockchain-related financial entities.
Mule Libra
Cobalt Spider
Gold Kingswood
TAG-CR3
Cobalt Strike
+3
Target Countries
Bulgaria
Malaysia
Austria
Poland
USA
+26
Target Sectors
Retail
Finance
Electrical&Electronical Manufacturing
Associated Malware/Software
sectop_rat
win.atmspitter
PsExec
win.cobint
venom_lnk
+21
️Related CVEs
ATT&CK IDs:
T1059.007
T1090.003
T1123 - Audio Capture
T1530 - Data from Cloud Storage Object
T1573
+230
| Tactic | Id | Technique | |||
|---|---|---|---|---|---|
| Collection | T1005 | Data from Local System |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1039 | Data from Network Shared Drive |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1119 | Automated Collection |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1114 | Email Collection |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1123 | Audio Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1560 | Archive Collected Data |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1530 | Data from Cloud Storage |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1115 | Clipboard Data |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1185 | Browser Session Hijacking |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1113 | Screen Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1074 | Data Staged |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1008 | Fallback Channels |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1132 | Data Encoding |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1071 | Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1572 | Protocol Tunneling |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1573 | Encrypted Channel |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1104 | Multi-Stage Channels |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1094 | Custom Command and Control Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1095 | Non-Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1102 | Web Service |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1219 | Remote Access Tools |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1105 | Ingress Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1043 | Commonly Used Port |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1001 | Data Obfuscation |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1571 | Non-Standard Port |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1090 | Proxy |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1187 | Forced Authentication |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1503 | Credentials from Web Browsers |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1552 | Unsecured Credentials |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1081 | Credentials in Files |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1110 | Brute Force |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1555 | Credentials from Password Stores |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1539 | Steal Web Session Cookie |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1558 | Steal or Forge Kerberos Tickets |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1003 | OS Credential Dumping |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1070 | Indicator Removal |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1601 | Modify System Image |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1550 | Use Alternate Authentication Material |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1220 | XSL Script Processing |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1107 | File Deletion |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1170 | Mshta |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1127 | Trusted Developer Utilities Proxy Execution |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1562 | Impair Defenses |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1218 | System Binary Proxy Execution |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1027 | Obfuscated Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1112 | Modify Registry |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1085 | Rundll32 |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1130 | Install Root Certificate |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1548 | Abuse Elevation Control Mechanism |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1036 | Masquerading |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1553 | Subvert Trust Controls |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1564 | Hide Artifacts |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1082 | System Information Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1033 | System Owner/User Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1124 | System Time Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1046 | Network Service Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1614 | System Location Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1083 | File and Directory Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1049 | System Network Connections Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1016 | System Network Configuration Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1135 | Network Share Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1069 | Permission Groups Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1012 | Query Registry |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1087 | Account Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1217 | Browser Information Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1007 | System Service Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1482 | Domain Trust Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1018 | Remote System Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1120 | Peripheral Device Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1497 | Virtualization/Sandbox Evasion |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1518 | Software Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1057 | Process Discovery |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1106 | Native API |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1047 | Windows Management Instrumentation |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1569 | System Services |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1170 | Mshta |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1203 | Exploitation for Client Execution |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1204 | User Execution |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1559 | Inter-Process Communication |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1085 | Rundll32 |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1059 | Command and Scripting Interpreter |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1567 | Exfiltration Over Web Service |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1030 | Data Transfer Size Limits |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1029 | Scheduled Transfer |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1020 | Automated Exfiltration |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1011 | Exfiltration Over Other Network Medium |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1490 | Inhibit System Recovery |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1529 | System Shutdown/Reboot |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1561 | Disk Wipe |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1485 | Data Destruction |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1489 | Service Stop |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1498 | Network Denial of Service |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1486 | Data Encrypted for Impact |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1531 | Account Access Removal |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1189 | Drive-by Compromise |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1199 | Trusted Relationship |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1190 | Exploit Public-Facing Application |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1195 | Supply Chain Compromise |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1566 | Phishing |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1550 | Use Alternate Authentication Material |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1097 | Pass the Ticket |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1570 | Lateral Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1021 | Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1563 | Remote Service Session Hijacking |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1137 | Office Application Startup |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1136 | Create Account |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1176 | Software Extensions |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1112 | Modify Registry |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1060 | Registry Run Keys / Startup Folder |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1505 | Server Software Component |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1037 | Boot or Logon Initialization Scripts |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1546 | Event Triggered Execution |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1548 | Abuse Elevation Control Mechanism |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1037 | Boot or Logon Initialization Scripts |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1546 | Event Triggered Execution |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1592 | Gather Victim Host Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1595 | Active Scanning |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1588 | Obtain Capabilities |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1583 | Acquire Infrastructure |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1587 | Develop Capabilities |
Sub Techniques |
Detections |
Mitigations |
Total Count : 933
https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta
https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/
https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/
https://www.secureworks.com/research/threat-profiles/gold-niagara
https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos
https://blog.group-ib.com/colunmtk_apt41
https://hitcon.org/2023/CMT/slide/Unmasking%20CamoFei_An%20In-depth%20Analysis%20of%20an%20Emerging%20APT%20Group%20Focused%20on%20Healthcare%20Sectors%20in%20East%20Asia.pdf
https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery
https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/
https://thedfirreport.com/2021/01/31/bazar-no-ryuk/
https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/
https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf
https://twitter.com/Unit42_Intel/status/1461004489234829320
https://www.cyberark.com/resources/threat-research/analyzing-malware-with-hooks-stomps-and-return-addresses-2
https://us-cert.cisa.gov/ncas/alerts/aa21-265a
https://www.youtube.com/watch?v=42yldTQ-fWA
https://twitter.com/MsftSecIntel/status/1522690116979855360
https://twitter.com/vikas891/status/1385306823662587905
https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023
https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure
https://blog.talosintelligence.com/2018/06/my-little-formbook.html
https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/
https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/
https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/
https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware
https://attack.mitre.org/software/S0284/
https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/
https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/
https://twitter.com/TheDFIRReport/status/1356729371931860992
https://www.contextis.com/en/blog/dll-search-order-hijacking
https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489
https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153
https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/
https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html
https://securelist.com/apt-trends-report-q3-2020/99204/
https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
https://michaelkoczwara.medium.com/mapping-and-pivoting-cobalt-strike-c2-infrastructure-attributed-to-cve-2021-40444-438786fcd68a
https://isc.sans.edu/diary/rss/27618
https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/
https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html
https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns
https://x.com/embee_research/status/1736758775326146778
https://pan-unit42.github.io/playbook_viewer/?pb=mulelibra
https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent
https://www.secureworks.com/research/threat-profiles/bronze-mohawk
https://www.lac.co.jp/lacwatch/report/20210521_002618.html
https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware
https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf
https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/
https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf
https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/
https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/
https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html
https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/
https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/
https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/
https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry
https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems
https://wbglil.gitbook.io/cobalt-strike/
https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966
https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/
https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/
https://zero.bs/cobaltstrike-beacons-analyzed.html
https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
https://thehackernews.com/2024/06/moreeggs-malware-disguised-as-resumes.html
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/
https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf
https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2
https://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing
https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii
https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/
https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation/
https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/
https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021
https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise
https://www.qurium.org/alerts/targeted-malware-against-crph/
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/
https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus
https://thedfirreport.com/2022/03/07/2021-year-in-review/
https://cert.gov.ua/article/37704
https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
https://hitcon.org/2024/CMT/slides/Sailing_the_Seven_SEAs_Deep_Dive_into_Polaris_Arsenal_and_Intelligence_Insights.pdf
https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility
https://blogs.blackberry.com/en/2021/10/blackberry-shines-spotlight-on-evolving-cobalt-strike-threat-in-new-book
https://censys.com/a-beginners-guide-to-hunting-open-directories/
https://isc.sans.edu/diary/rss/28934
https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html
https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf
https://go.recordedfuture.com/hubfs/reports/cta-2024-1209.pdf
https://www.brighttalk.com/webcast/7451/462719
https://www.netresec.com/?page=Blog&month=2024-01&post=Hunting-for-Cobalt-Strike-in-PCAP
https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf
https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/
https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html
https://twitter.com/alex_lanstein/status/1399829754887524354
https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia
https://malcat.fr/blog/statically-unpacking-a-simple-net-dropper/
https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/
https://intel471.com/blog/a-brief-history-of-ta505
https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/
https://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf
https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/
https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/
https://explore.group-ib.com/htct/hi-tech_crime_2018
https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass
https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks
https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/
https://www.mandiant.com/media/10916/download
https://github.com/Still34/landing/blob/master/assets/slides/2024-08-Sailing%20the%20Seven%20SEAs.pdf
https://news.sophos.com/en-us/2020/05/14/raticate/
https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf
https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection
https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/
https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my
https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/
https://www.youtube.com/watch?v=K3Yxu_9OUxU
https://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/
https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/
https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes
http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/
https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads
https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/
https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought
https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654
https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d8339e9a-c946-4304-aac4-722d8652d273
https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files
https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/
https://twitter.com/swisscom_csirt/status/1354052879158571008
https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/
https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf
https://attack.mitre.org/groups/G0096
https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/
https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya
https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/
https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive
https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists
https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664
https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a
https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a
https://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/
https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html
https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/
https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html
https://malware-traffic-analysis.net/2021/09/29/index.html
https://www.youtube.com/watch?v=6SDdUVejR2w
https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/
https://securelist.com/loki-bot-stealing-corporate-passwords/87595/
https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html
https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/
https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
https://d01a.github.io/syscalls/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf
https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon
https://www.arashparsa.com/catching-a-malware-with-no-name/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/
https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/
https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
https://blog.zsec.uk/cobalt-strike-profiles/
https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/
https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis
https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html
https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
http://www.secureworks.com/research/threat-profiles/gold-drake
https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html
https://community.riskiq.com/article/c88cf7e6
https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/
https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf
https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I
https://www.mandiant.com/resources/defining-cobalt-strike-components
https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf
https://blog.macnica.net/blog/2020/11/dtrack.html
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/
https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/
https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/
https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan
https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/
https://www.lac.co.jp/lacwatch/people/20180521_001638.html
https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728
https://www.varonis.com/blog/hive-ransomware-analysis
https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html
https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html
https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A
https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing
https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks
https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
https://us-cert.cisa.gov/ncas/alerts/aa20-275a
https://www.logpoint.com/en/blog/hiding-in-plain-sight-the-subtle-art-of-loki-malwares-obfuscation/
https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf
https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns
https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting
https://securelist.com/apt-trends-report-q2-2020/97937/
https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/
https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf
https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/
https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord
https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811
https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7
https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang
https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview
https://www.secureworks.com/research/threat-profiles/tin-woodlawn
https://embee-research.ghost.io/shodan-censys-queries/
https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/
https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/
https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/
https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink
https://cert.gov.ua/article/619229
https://go.recordedfuture.com/hubfs/reports/cta-cn-2024-1112.pdf
https://community.riskiq.com/article/0bcefe76
https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jul2023.pdf
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://twitter.com/Arkbird_SOLG/status/1301536930069278727
https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md
https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/
https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950
https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts
https://web.archive.org/web/20230209123148/https://www.cybereason.com/hubfs/THREAT%20ALERT%20GootLoader%20-%20Large%20payload%20leading%20to%20compromise%20(BLOG).pdf
https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/
https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/
https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
https://www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike/
https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf
https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/
https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/
https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/
https://twitter.com/felixw3000/status/1521816045769662468
https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/
https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/
https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware
https://isc.sans.edu/diary/rss/28448
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://pylos.co/2018/11/18/cozybear-in-from-the-cold/
https://twitter.com/redcanary/status/1334224861628039169
https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/
https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/
https://www.elastic.co/security-labs/grimresource
https://security.macnica.co.jp/blog/2022/05/iso.html
https://hunt.io/blog/rare-watermark-links-cobalt-strike-team-servers-to-ongoing-suspicious-activity
https://thedfirreport.com/2020/10/08/ryuks-return/
https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html
https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/
https://redcanary.com/blog/intelligence-insights-december-2021
https://www.sans.org/webcasts/contrarian-view-solarwinds-119515
https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html
https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf
https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/
https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/
https://unit42.paloaltonetworks.com/atoms/mulelibra/
https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf
https://www.group-ib.com/blog/cobalt
https://isc.sans.edu/diary/rss/28752
https://0xmrmagnezi.github.io/malware%20analysis/FormBook/
https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/
https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report
https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718
https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader
https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b
https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html
https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41
https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/
https://isc.sans.edu/diary/26806
https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications
https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf
https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/
https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/
https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control
https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf
https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html
https://www.youtube.com/watch?v=ysN-MqyIN7M
https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw
https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/
https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/
https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments
https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/
https://paper.seebug.org/1301/
https://github.com/chronicle/GCTI
https://github.com/dodo-sec/Malware-Analysis/blob/main/Cobalt%20Strike/Indirect%20Syscalls.md
https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/
https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/
https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/
https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
https://www.youtube.com/watch?v=FC9ARZIZglI
https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/
https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-september-cobalt-spider/
https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html
https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/
https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf
https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/
https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf
https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/
https://twitter.com/ffforward/status/1324281530026524672
https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/
https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
https://twitter.com/cglyer/status/1480742363991580674
https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ
https://blog.talosintelligence.com/warmcookie-analysis/
https://www.connectwise.com/resources/formbook-remcos-rat
https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html
https://www.aon.com/cyber-solutions/aon_cyber_labs/cobalt-strike-configuration-extractor-and-parser/
https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/
http://www.secureworks.com/research/threat-profiles/gold-evergreen
https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter
https://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight
https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/
https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/
https://isc.sans.edu/diary/rss/28664
https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors
https://www.uperesia.com/analysis-of-a-packed-pony-downloader
https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/
https://hitcon.org/2024/CMT/slides/Pirates_of_The_Nang_Hai_Follow_the_Artifacts_of_Tropic_Trooper,_No_One_Knows.pdf
https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/
https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/
https://asec.ahnlab.com/en/31811/
https://www.riskiq.com/blog/labs/cobalt-strike/
https://cert.gov.ua/article/339662
https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/
https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf
https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/
https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive
https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims
https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145
https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/
https://isc.sans.edu/diary/26752
https://isc.sans.edu/diary/27308
https://redcanary.com/blog/grief-ransomware/
https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022
https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach
https://twitter.com/AltShiftPrtScn/status/1385103712918642688
https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack
https://jp.security.ntt/tech_blog/appdomainmanager-injection
https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/
https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper
https://www.secureworks.com/research/darktortilla-malware-analysis
https://www.lastline.com/blog/password-stealing-malware-loki-bot/
https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/
https://www.youtube.com/watch?v=XfUTpwZKCDU
https://us-cert.cisa.gov/ncas/alerts/aa21-148a
https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware
https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf
https://thedfirreport.com/2022/04/25/quantum-ransomware/
https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/
https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target
https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/
https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/
https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf
https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
https://twitter.com/AltShiftPrtScn/status/1403707430765273095
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
https://www.secureworks.com/research/threat-profiles/gold-dupont
https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout
https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/
https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure
https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65
https://www.malware-traffic-analysis.net/2021/09/17/index.html
https://twitter.com/VK_Intel/status/1294320579311435776
https://boschko.ca/cobalt-strike-process-injection/
https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/
https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#
https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/
https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom
https://www.mandiant.com/resources/apt41-us-state-governments
https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/
https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/
https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/
http://www.secureworks.com/research/threat-profiles/gold-essex
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue
https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf
https://www.lac.co.jp/lacwatch/report/20220307_002893.html
https://embee-research.ghost.io/ghidra-basics-shellcode-analysis/
https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/
https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection
https://www.malware-traffic-analysis.net/2023/10/03/index.html
https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html
https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spammed-png-file-hides-lokibot/
https://www.cynet.com/understanding-squirrelwaffle/
https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/
https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks
https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf
https://thehackernews.com/2022/05/malware-analysis-trickbot.html
https://www.zscaler.com/blogs/security-research/technical-analysis-xloaders-code-obfuscation-version-43
https://vanmieghem.io/blueprint-for-evading-edr-in-2022/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services
https://www.youtube.com/watch?v=C733AyPzkoc
https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot
https://www.youtube.com/watch?v=WW0_TgWT2gs
https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one
https://blog.talosintelligence.com/2021/05/ctir-case-study.html
https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g
https://unit42.paloaltonetworks.com/cobalt-strike-team-server/
https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
https://skyblue.team/posts/scanning-virustotal-firehose/
http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html
https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/
https://www.mandiant.com/resources/sabbath-ransomware-affiliate
https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/
https://www.prevailion.com/what-wicked-webs-we-unweave/
https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html
https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine
https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike
https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v
https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/
https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/
https://asec.ahnlab.com/en/32149/
https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections
https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/
https://intel471.com/blog/conti-emotet-ransomware-conti-leaks
https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine
https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
https://blog.checkpoint.com/research/chinese-espionage-campaign-expands-to-target-africa-and-the-caribbean/
https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations
https://www.knowbe4.com/pony-stealer
https://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/
https://thedfirreport.com/2024/08/26/blacksuit-ransomware/
https://morphuslabs.com/attackers-are-abusing-msbuild-to-evade-defenses-and-implant-cobalt-strike-beacons-edac4ab84f42
https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/
https://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services
https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1
https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3
https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html
https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir
https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf
https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618
https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/
http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems
https://assets.virustotal.com/reports/2021trends.pdf
https://www.ic3.gov/Media/News/2021/210823.pdf
https://blogs.blackberry.com/en/2022/01/log4u-shell4me
https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf
https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/
https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
https://twitter.com/elisalem9/status/1398566939656601606
https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html
https://bmcder.com/blog/cobalt-strike-dfir-listening-to-the-pipes
https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html
https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf
https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/
https://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites
https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html
https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/
https://cert.gov.ua/article/703548
https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware
https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
https://www.mandiant.com/resources/unc2452-merged-into-apt29
https://isc.sans.edu/diary/28636
https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire
https://sublime.security/blog/xloader-deep-dive-link-based-malware-delivery-via-sharepoint-impersonation/
https://www.esentire.com/web-native-pages/unmasking-venom-spider
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt
https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
https://blog.morphisec.com/cobalt-gang-2.0
https://twitter.com/Cryptolaemus1/status/1407135648528711680
https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/
https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e
https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/
https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e
https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/
https://securelist.com/apt-luminousmoth/103332/
https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf
https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf
https://thedfirreport.com/2022/09/26/bumblebee-round-two/
https://blogs.vmware.com/security/2020/09/detecting-threats-in-real-time-with-active-c2-information.html
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/
https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/
https://www.mandiant.com/resources/evolution-of-fin7
https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/
https://www.youtube.com/watch?v=YDtLmhw_nTo
https://tehtris.com/en/blog/cracking-formbook-malware-blind-deobfuscation-and-quick-response-techniques/
https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/
https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/
https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis
https://blog.cobaltstrike.com/
https://www.youtube.com/watch?v=-FxyzuRv6Wg
https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf
https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt
https://www.group-ib.com/blog/renaissance
https://www.embeeresearch.io/decoding-a-cobalt-strike-downloader-script-with-cyberchef/
https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/
https://www.secureworks.com/research/threat-profiles/gold-galleon
https://embeeresearch.io/ghidra-basics-shellcode-analysis/
https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage
https://youtu.be/aQwnHIlGSBM
https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf
https://asec.ahnlab.com/en/47455/
http://reversing.fun/posts/2021/06/08/lokibot.html
https://unit42.paloaltonetworks.com/atoms/obscureserpens/
https://asec.ahnlab.com/ko/19640/
https://experience.mandiant.com/trending-evil-2/p/1
https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/
https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7
https://isc.sans.edu/diary/27282
https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike
https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux
https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx
https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b
https://www.youtube.com/watch?v=pIXl79IPkLI
https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html
https://usualsuspect.re/article/formbook-hiding-in-plain-sight
https://www.advintel.io/post/anatomy-of-attack-truth-behind-the-costa-rica-government-ransomware-5-day-intrusion
https://twitter.com/Unit42_Intel/status/1458113934024757256
https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/
https://info.spamhaus.com/hubfs/Botnet%20Reports/Jul-Dec%202024%20Botnet%20Threat%20Update.pdf
https://www.bitsight.com/blog/emotet-botnet-rises-again
https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/
https://github.com/sophos-cybersecurity/solarwinds-threathunt
https://isc.sans.edu/diary/rss/26862
https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor
https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850
https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html
https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
https://blog.netlab.360.com/purecrypter
https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html
https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html
https://www.dropbox.com/s/1xvhee0s7o12i61/Whitepaper ATM Heist GSB August 2016.pdf?dl=0
https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/
https://community.riskiq.com/article/f0320980
http://www.secureworks.com/research/threat-profiles/gold-winter
https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734
https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730
https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/
https://thedfirreport.com/2021/05/12/conti-ransomware/
https://embee-research.ghost.io/decoding-a-cobalt-strike-vba-loader-with-cyberchef/
https://www.youtube.com/watch?v=EyDiIAt__dI
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
https://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/
https://www.mandiant.com/media/12596/download
https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/
https://github.com/R3MRUM/loki-parse
https://blog.group-ib.com/opera1er-apt
https://www.incibe.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf
https://www.netscout.com/blog/asert/double-infection-double-fun
https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
https://socprime.com/blog/somnia-malware-detection-uac-0118-aka-frwl-launches-cyber-attacks-against-organizations-in-ukraine-using-enhanced-malware-strains/
https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/
https://www.inde.nz/blog/different-kind-of-zoombomb
https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64
http://www.secureworks.com/research/threat-profiles/gold-kingswood
https://www.mandiant.com/resources/spear-phish-ukrainian-entities
https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations
https://www.arashparsa.com/hook-heaps-and-live-free/
https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728
https://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strike
https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf
https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/
https://www.reuters.com/article/us-taiwan-cyber-atms/taiwan-atm-heist-linked-to-european-hacking-spree-security-firm-idUSKBN14P0CX
https://twitter.com/MsftSecIntel/status/1535417776290111489
https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks
https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/
https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/
https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/
https://www.telsy.com/download/5972/?uid=d7c082ba55
https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/
https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html
https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/
https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/
https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two
https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/
https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors
https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e
https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html
https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse/
https://connormcgarr.github.io/thread-hijacking/
https://twitter.com/MBThreatIntel/status/1412518446013812737
https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929
https://isc.sans.edu/diary/24372
http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20
https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/
https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf
https://x.com/embee_research/status/1737325167024738425?s=46
https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/
https://marcoramilli.com/2022/05/10/a-malware-analysis-in-ru-au-conflict/
https://www.malware-traffic-analysis.net/2021/09/29/index.html
https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f
https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf
https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust
https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware
https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/
https://videos.didierstevens.com/2022/09/06/an-obfuscated-beacon-extra-xor-layer/
https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5
https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf
https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader
https://redcanary.com/blog/getsystem-offsec/
https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/
https://medium.com/@b.magnezi/malware-analysis-cobalt-strike-92ef02b35ae0
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html
https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf
https://youtu.be/_VZCocEFHgk?feature=shared
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war
https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike
https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/
https://www.youtube.com/watch?v=LA-XE5Jy2kU
https://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html
https://elastic.github.io/security-research/intelligence/2022/01/01.formbook-adopts-cabless-approach/article/
https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/
https://blog.exatrack.com/melofee/
https://www.macnica.net/file/mpression_automobile.pdf
https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf
https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html
https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/
https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/
https://www.istrosec.com/blog/apt-sk-cobalt/
https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups
https://lab52.io/blog/a-twisted-malware-infection-chain/
https://www.youtube.com/watch?v=y65hmcLIWDY
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader
https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf
https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_7_hara_shoji_higashi_vickie-su_nick-dai_en.pdf
https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://embeeresearch.io/unpacking-malware-with-hardware-breakpoints-cobalt-strike/
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/bb-ebook-finding-beacons-in-the-dark.pdf
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
https://www.youtube.com/watch?v=GfbxHy6xnbA
https://blog.group-ib.com/REvil_RaaS
https://blogs.blackberry.com/en/2021/11/zebra2104
https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/
https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811
https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
https://content.fireeye.com/m-trends/rpt-m-trends-2020
https://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/
https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain
https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/
https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/
https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a
https://www.mandiant.com/resources/russian-targeting-gov-business
https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns
https://www.secureworks.com/research/threat-profiles/gold-waterfall
https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf
https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf
https://socprime.com/blog/picassoloader-and-cobalt-strike-beacon-detection-uac-0057-aka-ghostwriter-hacking-group-attacks-the-ukrainian-leading-military-educational-institution/
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx
https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html
https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis
https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/
https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/
https://socprime.com/blog/uac-0057-attack-detection-a-surge-in-adversary-activity-distributing-picassoloader-and-cobalt-strike-beacon/
https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike
https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/
https://www.youtube.com/watch?v=gfYswA_Ronw
https://censys.com/a-beginners-guide-to-tracking-malware-infrastructure/
https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/
https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/
https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails
https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html
https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/
https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf
https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf
https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/
https://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/
https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko
https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://www.youtube.com/watch?v=borfuQGrB8g
https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee
https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/
https://ivanvza.github.io/posts/lokibot_analysis
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html
https://netresec.com/?b=214d7ff
https://malwarelab.eu/posts/fin6-cobalt-strike/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/
https://embeeresearch.io/ghidra-entropy-analysis-locating-decryption-functions/
https://www.netresec.com/?page=Blog&month=2023-10&post=Forensic-Timeline-of-an-IcedID-Infection
https://www.cobaltstrike.com/support
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf
https://malwarebookreports.com/cryptone-cobalt-strike/
https://cyber.wtf/2022/03/23/what-the-packer/
https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike
https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf
https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware
https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf
https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/
https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf
https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/
https://redcanary.com/blog/gootloader
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_1_5_leon-chang_theo-chen_en.pdf
https://github.com/eset/malware-ioc/tree/master/evilnum
https://github.com/nyx0/Pony
https://blog.group-ib.com/apt41-world-tour-2021
https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/
https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam
https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros
https://github.com/Apr4h/CobaltStrikeScan
https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack
https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/
https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html
https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/
https://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups
https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt
https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia
https://www.seqrite.com/blog/operation-cobalt-whisper-targets-industries-hong-kong-pakistan/
https://www.secureworks.com/research/threat-profiles/gold-evergreen
https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html
https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e
https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/
https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/
https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf
https://www.accenture.com/us-en/blogs/security/ransomware-hades
https://phishme.com/loki-bot-malware/
https://msrc.microsoft.com/blog/2022/10/hunting-for-cobalt-strike-mining-and-plotting-for-fun-and-profit/
https://labs.k7computing.com/index.php/cobalt-strikes-deployment-with-hardware-breakpoint-for-amsi-bypass/
https://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/
https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/
https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html
https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/
https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf
https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html
https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html
https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/
https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption
https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/
https://www.youtube.com/watch?v=YCwyc6SctYs
https://twitter.com/RedDrip7/status/1402640362972147717?s=20
https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear
https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20
https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf
https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv
https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/
https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b
https://attack.mitre.org/groups/G0080/
https://drive.google.com/file/d/1oxINyIJfMtv_upJqRK9vLSchIBaU8wiU/view
https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation
https://twitter.com/GossiTheDog/status/1438500100238577670
https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates
https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/hydrochasma-asia-medical-shipping-intelligence-gathering
https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise
https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/
https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/
http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf
https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/
http://blog.nsfocus.net/murenshark
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021
https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/
https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/
https://twitter.com/TheDFIRReport/status/1359669513520873473
https://mez0.cc/posts/cobaltstrike-powershell-exec/
https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/
https://embee-research.ghost.io/ghidra-entropy-analysis-locating-decryption-functions/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf
https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/
https://go.recordedfuture.com/hubfs/reports/cta-2024-0716.pdf
https://www.atomicmatryoshka.com/post/malware-headliners-lokibot
https://www.secureworks.com/research/threat-profiles/bronze-riverside
https://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/
https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/
https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/
https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671
https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/
https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
https://www.malware-traffic-analysis.net/2023/06/05/index.html
https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html
https://www.secureworks.com/research/threat-profiles/gold-kingswood
https://web.br.de/interaktiv/ocean-lotus/en/
https://www.ironnet.com/blog/ransomware-graphic-blog
https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html
https://cert.gov.ua/article/955924
https://asec.ahnlab.com/ko/19860/
https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c
https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads
https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/
https://twitter.com/AltShiftPrtScn/status/1350755169965924352
https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/
https://www.hhs.gov/sites/default/files/bazarloader.pdf
http://www.secureworks.com/research/threat-profiles/gold-galleon
https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/
https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish
https://www.secureworks.com/research/threat-profiles/bronze-president
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf
https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html
https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-southeast-asian-firms.html
https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf
https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/
https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html
https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf
https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/
https://awakesecurity.com/blog/catching-the-white-stork-in-flight/
https://www.youtube.com/watch?v=y8Z9KnL8s8s
https://embeeresearch.io/shodan-censys-queries/
https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/
https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass
https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/
https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love
https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a
https://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/
https://asec.ahnlab.com/en/34549/
https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/
https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1
https://isc.sans.edu/diary/rss/27176
https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html
https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf
https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot
https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/
https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/
https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html
https://securelist.com/cve-2024-30051/112618
https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903
https://asert.arbornetworks.com/double-the-infection-double-the-fun/
https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/
https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/
https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f
https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf
https://www.cisa.gov/uscert/ncas/alerts/aa22-249a
https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html
https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware
https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers
https://sec0wn.blogspot.com/2023/03/how-do-you-like-dem-eggs-i-like-mine.html?m=1
https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack
https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk
https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/
https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html
https://www.youtube.com/watch?v=N0wAh26wShE
https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/
https://embee-research.ghost.io/unpacking-malware-with-hardware-breakpoints-cobalt-strike/
https://www.tgsoft.it/news/news_archivio.asp?id=1568
https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire
https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/
https://intel471.com/blog/shipping-companies-ransomware-credentials
https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/
https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/
https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/
https://medium.com/@shaddy43/layers-of-deception-analyzing-the-complex-stages-of-xloader-4-3-malware-evolution-2dcb550b98d9
https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf
https://cocomelonc.github.io/malware/2023/05/11/malware-tricks-28.html
https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py
https://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity
https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/
Copyright © 2025 SOCRadar Cyber Intelligence Inc.
All rights
reserved.
